[syslog-ng] two sources one udp address

[Balazs Scheidler]

On Sun, 2010-01-24 at 22:27 -0800, Alexei Shilin wrote:
> Hi!
> I have 
> source src {
>  unix-stream("/dev/log" max-connections(512));
>  internal();
>  file("/proc/kmsg");
>  udp(port(514));
> };
> ...
> source temp {
>  udp(port(514));
> };
> 
> and then I have to log rules: one for src and one for temp, no flags are
> set.
> 
> Will those two sources play nice with each other and will not interfer? 
> E.g. if one reads from that port, will the log message that was read by
> the first available for read by the second?

this won't work and will result in a bind error when the second source
is being initialized.

I don't know what you want to accomplish, but the "tags" feature of
syslog-ng 3.1 may be useful for you.

With that you can tag a message as it enters syslog-ng:

source s_udp { udp(port(514) tags("net-message")); };

source s_tcp { tcp(tags("net-message")); };

filter f_net { tags("net-message"); };

log { filter(f_net); destination(...); flags(catch-all); };

you can also attach tags via patterndb, and it is quite useful to know
that tag based filtering is really fast (since it only takes one bit
comparison to evaluate). this is way faster than host/program/etc based
filtering.

-- 
Bazsi